Systems and methods for protecting a server computer

ABSTRACT

A server computer protection apparatus protects a server computer against DoS attacks, but allows access to the server. The server computer protection apparatus comprises a unit configured to calculate the load state of the server computer on the basis of the number of data requests made upon the server computer, and the number of data responses of the server responsive to the data requests, and for changing the rate of data requests to be transferred to the server, in accordance with the load state.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of priority fromthe prior Japanese Patent Application No. 2002-280289, filed Sep. 25,2002; and No. 2003-071238, filed Mar. 17, 2003, the entire contents ofwhich are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a network system between clientcomputers and server computers, and more particularly to a servercomputer protection apparatus which protects a server computer fromillicit access that intentionally hampers server computer operations.

2. Description of the Related Art

In recent years, client/server systems, which comprise unspecified orspecified client computers connected to one or more server computers vianetworks such as wide area networks, for example, the Internet, or localarea networks, have been utilized in order to supply data from theserver in compliance with requests made by the clients.

Packets which include transmission data reconstructed into apredetermined size with destination information affixed thereto, aregenerally utilized as the format of data which flows through a networksuch as the Internet. The packet comprises a header and a data body. Theheader bears an. IP (Internet Protocol) address, in the case ofInternet, and Internet Protocol (IP) address, which indicates thecomputer which transmitted the packet, and an address, for example, andIP address, of a computer which is the destination of the packet.

Currently, any system connected to such network increasingly undergoattacks over the network. Such attacks are intend to cause systemicfailures. One such attacking method is a Denial of Service (“DoS”)attack. A DoS attack is an attack whereby a large quantity of accessrequests are simultaneously made upon a server computer by one client.The large quantity of access requests hampers the availability of theserver and makes service substantially impossible.

This attacking method is hard to distinguish from an access request madeby a legal client which does not intend to attack the system. Therefore,it is difficult to avoid the attack on the server side. In some cases,the server undergoes DoS attacks from a plurality of clients. In thiscase, the DoS attack is called a Distributed Denial of Service attack orDDoS attack.

When a server receives a large quantity of requests which exceed theprocessing ability of the server, the server's resources forcommunication processing, for example, memory areas and line bandwidths,are successively reserved for the respective large quantity of requestsuntil the server's resources finally become insufficient. As a result,the server fails to respond to the request from a legal client notintending interference, or communication between the client and serverstagnates seriously.

Heretofore, a conventional server computer protection apparatus has beenarranged between the server and the network in order to exclude theattacks. The server computer protection apparatus processes only accessrequests, which are repeated a number times, as a legal access requestfrom a legal client. Alternatively, the server computer protectionapparatus processes access requests from a client, which has alreadygiven legal access, as a legal access request, and annuls packets as tothe other access

Such a method, however, has the problem that, in a case where theclient, which intends the attack, makes a large quantity of similaraccess requests, the attack cannot be prevented by the conventionalserver computer protection apparatus.

Furthermore, even when the above problem has been solved, theconventional server computer protection apparatus is stillunsatisfactory. For example, when a legal client makes a large quantityof access requests, the clients access requests are judged as a DoSattack. Thus, in the convention protection apparatus legal requests aresometimes regarded as illicit access in spite of being legal. In such acase, the legal client's connection is cut off, and hence, the client'sbusiness is impeded.

SUMMARY OF THE INVENTION

The present invention is direct to a server computer protectionapparatus and a server computer protection method which can protect aserver against attacks from unspecified clients, but which allow accessto a client that is legally accessing the server.

According to an aspect related to the present invention, there isprovided a server computer protection method and apparatus, the methodcomprising: accepting data requests sent from client computers, as proxyfor the server computer; measuring a number of data requests which havearrived from said client computers within a predetermined time period;measuring a number of responses which have been made from said servercomputer to said client computers within the predetermined time period;obtaining a load state of said server computer by using the number ofthe data requests and the number of the responses; and changing a rateof the number of data requests based on the obtained load state.

According to other aspect related to the present invention, there isprovided a server computer protection method and apparatus, the methodcomprising: accepting data requests sent from client computers, as proxyfor the server computer; receiving from said server computer,information on a processing situation of said server computer; obtaininga load state of said server computer from the processing situationinformation; and changing a rate of a number of data requests based onthe load state.

Additional advantages of the invention will be set forth in part in thedescription which follows, and in part will be obvious from thedescription, or may be learned by practice of the invention. Theadvantages of the invention will be realized and attained by means ofthe elements and combinations particularly pointed out in the appendedclaims.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory onlyand are not restrictive of the invention, as claimed.

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate several aspects of the presentinvention and together with the description, serve to explain theprinciples of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of a network architecture towhich a server computer protection apparatus consistent with an aspectrelated to the present invention is applied;

FIG. 2 is a block diagram showing server computer protection apparatusconsistent with an aspect related to the present invention;

FIG. 3 is a flow chart showing an example of an operating flow of theserver computer protection apparatus shown in FIG. 2;

FIG. 4 is a flow chart showing an example of the operating flow of theserver computer protection apparatus shown in FIG. 2;

FIG. 5 is a block diagram showing an example of the construction of aserver computer protection apparatus consistent with an aspect relatedto the present invention;

FIG. 6 is a flow chart showing an example of the operating flow of theserver computer protection apparatus shown in FIG. 5;

FIG. 7 is a block diagram showing an example of the construction of aserver computer protection apparatus consistent with an aspect relatedto the present invention;

FIGS. 8A and 8B are flow charts each showing an example of the operatingflow of the server computer protection apparatus shown in FIG. 7;

FIG. 9 is a block diagram showing an example of the construction of aserver computer protection apparatus consistent with an aspect relatedto the present invention; and

FIGS. 10A and 10B are flow charts each showing an example of theoperating flow of the server computer protection apparatus shown in FIG.9.

DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to aspect related to the presentinvention, examples of which are illustrated in the accompanyingdrawings. Wherever possible, the same reference numbers will be usedthroughout the drawings to refer to the same or like parts.

FIG. 1 shows an example of a network architecture to which a servercomputer protection apparatus consistent with an aspect related to thepresent invention is applied. The network architecture comprises clients101-1, 101-2, 101-3, which are computers running applications utilizedby users, a network 102, for example, the Internet, and a servercomputer protection apparatus 103. The network architecture alsocomprises a server 104, which is a computer that receives, throughserver computer protection apparatus 103, requests for data that arerequired by the applications utilized by each client 101, and whichtransmits the requested data through server computer protectionapparatus 103 to each client 101. Thus, the network architectureconstitutes a server/client network system wherein clients 101 requestserver 104 to transmit data necessary for processes and the server 104transmits the data in response to such requests. All communicationbetween clients 101 and server 104 is performed through server computerprotection apparatus 103.

FIG. 2 shows an example of server computer protection apparatus 103consistent with an aspect related to the present invention. Servercomputer protection apparatus 103 includes a data request acceptanceunit 201, a data request transfer unit 202, a “number of data requests”measurement unit 203, a “number of data supplies” measurement unit 204,and a response probability calculation unit 205.

FIG. 3 illustrates the flow of server computer protection apparatus 103consistent with an aspect of the present invention. First, client 101establishes a connection with server 103 (stage 300). After client 101has established a connection with server 104 through server computerprotection apparatus 103, client 101 transmits a request for datanecessary for a process to the server 104 though server computerprotection apparatus 103 (stage 302). On this occasion, data requestacceptance unit 201 accepts the data request, and the number of requestsaccepted is measured by “number of data requests” measurement unit 203(stage 304).

Then, the request accepted by data request acceptance unit 201 istransferred toward server 104 by data request transfer unit 202 (stage306). In response, server 104 transmits the data corresponding to thetransferred request, toward client 101 which made the request throughthe server computer protection apparatus 103 (stage 308). On thisoccasion, “number of data supplies” measurement unit 204 included inserver computer protection apparatus 103 measures the number of thecompletions of the accepted requests transmitted by server 104 (stage310). That is, when all responses to the clients 101 have beencompleted, the number of accepted requests as measured by “number ofdata requests” measurement unit 203 agrees with the number of completedrequests as measured by “number of data supplies” measurement unit 204.

A case is considered in which the number of accepted requests asmeasured by “number of data requests” measurement unit 203 is largerthan the number of completed requests as measured by “number of datasupplies” measurement unit 204. The number of accepted requests beinglarger than the number of completed requests signifies that theprocessing of server 104 for the accepted requests is late whichsignifies a heavy processing load. As the number of accepted requestsincreases more than the number of completed requests, the response ofserver 104 delays even more. In turn, all services offered by the server104 might stop due to a lack of resources. This event is the same aswhen server 104 is under a DoS attack from client 101. In order to avoidthe shutdown of server 104, the administrator of server 104 mustpromptly stop requests which are transmitted from clients 101 to server104.

However, assuming that clients 101 are merely making legal data requestsuntil requests are stopped, the processes of the applications activatedin clients 101 are interrupted or disabled by the determination of arequired shutdown.

In order to reduce interruption as stated above, response probabilitycalculation unit 205 calculates a response probability on the basis ofthe difference between the number of accepted requests and the number ofcompleted requests, at least, each time an request is given.Subsequently, response probability calculation unit 205 supplies theresponse probability to data request transfer unit 202. The “responseprobability” termed here signifies the ratio of the number of dataresponses made within a predetermined time period by server 104, to thenumber of data requests accepted from clients 101 within thepredetermined time period. When the value of the ratio is large, datarequest transfer unit 202 increases the number of data requests whichare to be transferred to server 104 within the predetermined timeperiod, among the data requests accepted within the predetermined timeperiod. Conversely, when the ratio is small, data request transfer unit202 decreases the number of data requests which are to be transferred toserver 104 within the predetermined time period.

Data request acceptance unit 201 annuls data requests which are nottransferred by data request transfer unit 202 because the number ofrequests to be transferred within the predetermined time period has beendecreased. Alternatively, data request acceptance unit 201 can retainthe data requests. In the case where the data requests are retainedwithout being annulled, a constituent for transferring the retained datarequests asynchronously to new data requests is required.

As described above, when the difference between the number of acceptedrequests and the number of completed requests becomes small, responseprobability calculation unit 205 judges the load of server 104 is light,and response probability calculation unit 205 calculates the responseprobability to be high. In contrast, when the difference between thenumbers of accepted and completed requests becomes large, responseprobability calculation unit 205 judges the load of server 104 is heavy,and response probability calculation unit 205 calculates the responseprobability to be low.

The process provides a server computer protection apparatus whichrelaxes the influence of the DoS attack as a burden on the server andshuts it down, and does not stop the process of the client.

Incidentally, regarding the number of accepted requests in “number ofdata requests” measurement unit 203 and the number of completed requestsas measured by “number of data supplies” measurement unit 204, only adifferential value may well be held by, for example, adding the formerrequests and subtracting the latter requests. Server computer protectionapparatus 103 permits the comparison of both the sorts of requests.

FIG. 4 shows an example of the operating flow of the server computerprotection apparatus consistent with an aspect related to the presentinvention.

After the connection has been established from client 101 to server 104through server computer protection apparatus 103, server computerprotection apparatus 103 awaits a data request from the client 101toward the server 104 (stage 400). When the request for data has beenmade, “number of data requests” measurement unit 203 increases thenumber of accepted requests as held in the response probabilitycalculation unit 205 by one (stage 402).

Next, the data request from client 101 as accepted by data requestacceptance unit 201 is judged as to whether or not it may be transferredto server 104 by data request transfer unit 202 (stage 404). In thejudgment at the stage 404, the number of accepted requests which are notcompleted yet is used.

As the number of data responses within a predetermined time period iscloser to the number of data requests accepted within the predeterminedtime period, that is, as the number of uncompleted accepted requests issmall, server computer protection apparatus 103 judges that the load ofserver 104 is lighter. Conversely, as the number of data responseswithin the predetermined time period is smaller than the number of datarequests accepted within the predetermined time period, that is, as thenumber of uncompleted accepted requests is large, server computerprotection apparatus 103 judges that the load of server 104 load isheavier. In a case where the load on this occasion is extraordinarilyheavy, server computer protection apparatus 103 can judge that server104 may be under a DoS attack.

As stated above, the number of uncompleted accepted requests can beadopted as the load state of server 104 for the decision of stage 404.This signifies that the number of uncompleted accepted requests is alsousable for discriminating if server 104 is under a DoS attack. Thus, atstage 404, whether or not the new data request from client 101 may betransferred is judged in accordance with the number of uncompletedaccepted requests. When the number of uncompleted accepted requests issmall, server 104 can afford to respond, and, server computer protectionapparatus 103 judges that the new data request can be transferred.Conversely, when the number of uncompleted accepted requests is larger,server 104 might be under the DoS attack, and, server computerprotection apparatus 103 judges that the new data request may need to beannulled.

Further in addition to accepted and completed responses, criteriaexplained below can be included in probability calculation unit 205calculation of the response probability for data requests that are to betransferred by data request transfer unit 202.

The processing load of server 104 and the occupation of thecommunication line can also be used for judging that server 104 maypossibly be under a DoS attack. Since information indicating a dataamount is affixed to communication data from client 101, the data amountof the data response of server 104 to a data request from the client 101can be measured by “number of data supplies” measurement unit 204. Ifthe responsive data amount is large, server 104 expends a high cost ingenerating response data, i.e., more processing and resource allocation.Moreover, a time period to communicate the response data lengthens, andthe occupation time of a communication line in the network increases.

If this criterion is utilized, the data amount of the data response isconsidered in the judgment at stage 404 as shown in FIG. 4 in whichserver computer protection apparatus 103 judges whether or not the datarequest from client 101 as accepted by data request acceptance unit 201may be transferred to server 104 by data request transfer unit 202.

That is, at stage 404, server computer protection apparatus 103 judgeswhether or not the new data request from client 101 may be transferredin accordance with the data amount of the data response. When the dataamount is small, server 104 can afford to respond, and, therefore,server computer protection apparatus 103 judges that the new datarequest can be transferred. Conversely, when the data amount is large,server 104 might be under a DoS attack and, therefore, server computerprotection apparatus 103 judges that the new data request may need to beannulled.

Data requests and data responses to them by server 104 are respectivelyendowed with corresponding sequence numbers. It is therefore possible tospecify which of the data requests a certain data response correspondsto. As another criterion, this information can be included inprobability calculation unit 205 calculation of the response probabilityfor data requests that are to be transferred by data request transferunit 202.

In this case, it is assumed that server 104 has responded to a certaindata request from client 101. Assuming that an acknowledgment for thedata response has not thereafter been obtained from client 101 for apredetermined time period, server 104 judges that the pertinent dataresponse has not arrived at client 101, and server 104 attempts toresend the data response. As stated above, “number of data supplies”measurement unit 204 can specify which of the data requests the resentdata response corresponds.

By considering this criterion, server computer protection apparatus 103enables server 104 to reliably communicate with client 101, anddetermine when client 101 intentionally sends back no acknowledgment. Insuch a case, server 104 repeats resending limitlessly, and in turn,server 104 is burdened with a useless processing load. Simultaneously,server 104 ties up the communication line on account of the uselessresending. Thus, server computer protection apparatus 103 can judge thatserver 104 may possibly be under a DoS attack.

If this criterion is utilized, the number of times of resending of thedata response is considered in the judgment at that stage 404 as shownin FIG. 4 in which server computer protection apparatus 103 judgeswhether or not the data request from client 101 as accepted by datarequest acceptance unit 201 may be transferred to server 104 by datarequest transfer unit 202.

That is, at stage 404, whether or not the new data request from client101 may be transferred is judged in accordance with the number of timesof resending of the data response. When the number of times of resendingis large, the possibility of a DoS attack against server 104 is higher,and server computer protection apparatus 103 can judge that the new datarequest may need to be annulled.

As mentioned above, data request acceptance unit 201 accepts the datarequest from client 101 as proxy for server 104. When the connectionwith server 104 as requested by client 101 has been wrongfully cut off,data request acceptance unit 201 can detect the wrongful cutoff. The“wrongful cutoff” signifies cutoff based on the detection of the factthat a normal communication can no longer be kept due to thetransmission flow, for example, an abnormal command which does notconform to a protocol for use in communication. Also, “wrongful cutoff”can include the reception of a one-sided forced cutoff request or thelike from client 101.

When server 104 receives an abnormal command, flow, or forced cutoffrequest, the server/client network must execute a recovery processes ofcommunication resources because the received item is unexpected data. Inthe presence of any renewed application which is activated in server104, the server/client network also must perform a renewal cancellationprocess such as roll-back because of the recovery process. Theseprocesses often require server 104 to endure heavy loads. When suchabnormal communications are repeated, the load of server 104 increases,and the processing efficiency of the server 104 decreases drastically.Also in this case, server computer protection apparatus 103 can judgethat server 104 may possibly be under a DoS attack.

The number of times of the abnormal communications is considered in thejudgment at stage 404 as shown in FIG. 4 in which server computerprotection apparatus 103 judges whether or not the data request fromclient 101 as accepted by data request acceptance unit 201 may betransferred to server 104 by data request transfer unit 202.

That is, at stage 404, whether or not the new data request from client101 may be transferred is judged in accordance with the number of timesof the abnormal communications. As the number of times is large, thepossibility of the DoS attack against server 104 is higher, and,therefore, server computer protection apparatus 103 can judge that thenew data request is to be annulled.

Accordingly, by setting several criteria as described above, servercomputer protection apparatus can effectively prevent a DoS attack.

In another example, in the calculation of the response probability byresponse probability calculation unit 205, response probabilitycalculation unit 205 can include a response probability memory andconsider a value stored in this memory, as described below.

Response probability calculation unit 205 judges the load of server 104on the basis of information items which are acquired from “number ofdata requests” measurement unit 203, “number of data supplies”measurement unit 204, and data request acceptance unit 201. In thisexample, a calculated value is not directly converted into the loadsituation of server 104 for judgment, but the value is referenced to thevalue stored in the response probability memory of response probabilitycalculation unit 205.

In the calculations of server computer protection apparatus 103, thevalues obtained from the respective measurement units have beencollectively converted into values which indicate load levels of “0” to“10”. Depending upon the values obtained from the respective measurementunits, the load level of server 104 might violently change from “0” to“10”, and the response probability to be calculated can greatlyfluctuate.

Therefore, the values obtained from the respective measurement units arecollectively converted into a value which falls within a range of ±2.Subsequently, response probability calculation unit 205 adds the valuecollectively obtained to the value which is stored in the responseprobability memory. Then, the value fluctuates only within the range of±2 by one time of measurement, and server computer protection apparatus103 can suppress the great fluctuation of the response probability as inthe above example based on the assumption that the response probabilitymemory holds the values of “0” to “10”.

Assuming that the fluctuation of the response probability proceeds toorapidly, the load on server 104 is not constant, and server 104sometimes becomes unstable.

Accordingly, the aforementioned range of the values which are held inthe response probability memory, and the range of the collective valuesof the values obtained from the respective measurement units areappropriately determined, whereby the fluctuation of the number of datarequests arriving at server 104 from client 101 can be relaxed toprotect server 104.

Referring again to FIG. 4, when server computer protection apparatus 103has judged that the new data request from client 101 is to betransferred to server 104, data request transfer unit 202 transfers thisdata request to server 104 (stage 406). In contrast, when servercomputer protection apparatus 103 has judged that the new data requestis not to be transferred, this data request is annulled from within datarequest acceptance unit 201, and a new data request from client 101 isawaited again (stage 400).

When the data request from client 101 has been transferred to server104, server 104 subsequently issues a response to this data request, andhence, server computer protection apparatus 103 transfers the responseto client 101 (stage 408).

Finally, the number of completed requests is measured in accordance withthe response by “number of data supplies” measurement unit 204, and thenumber of accepted requests as held in response probability calculationunit 205 is decreased by one (stage 410). If the connection from client101 to server 104 is maintained, a similar operating flow is repeatedagain so as to await a new data request from client 101 toward server104 (stage 400).

According to the server computer protection method based on such a flow,the server computer protection apparatus relaxes the influence of theDoS attack as burdens on the server and shuts it down, and does not stopthe process of the client.

In another aspect related to the present invention, a server computerprotection apparatus can be configured to separately maintaininformation of each client. FIG. 5 shows an example of the constructionof the server computer protection apparatus 503 consistent with thisaspect which is utilized in the network architecture show in FIG. 1.Server computer protection apparatus 503 includes a data requestacceptance unit 502, a data request transfer unit 504, “number of datarequests” measurement units 506, a “number of data supplies” measurementunit 508 and response probability calculation units 510. Server computerprotection apparatus 503 differ from server computer protectionapparatus 103 shown in FIG. 2 in that the apparatus includes a pluralityof “number of data requests” measurement units 506 and responseprobability calculation units 510. Each measurement unit processes datarequest transmitted from each of clients 101 (for example, clients101-1, 101-2, 101-3), in correspondence with the respective client.

In order to separately execute the processes of the respective clients,it is necessary to discriminate which of the clients have transmittedthe requests to be processed. The discrimination can be achieved byreferring to IP addresses in the header information of packets that arecontained in the data requests transmitted from the respective clientswhich indicate transmission sources. Likewise, the client 101destination of a server 104 response can be discriminated by referringto an IP address in the header information of packets that are containedin the server response which indicates a destination.

The components of server computer protection apparatus 503 functionsimilar to the component of server computer protection apparatus 103.

FIG. 6 shows an example of the operating flow of the server computerprotection apparatus 503 consistent with an aspect related to thepresent invention.

After client 101 establishes a connection to server 104 through servercomputer protection apparatus 503, a set consisting of “number of datarequests” measurement unit 506 and response probability calculation unit510 is allotted to predetermined client 101. Next, server computerprotection apparatus 503 awaits a data request from client 101 towardserver 104 (stage 600). When the request for data has been made, “numberof data requests” measurement unit 203 allotted to client 101 increasesby one the number of accepted requests as held in response probabilitycalculation unit 205 which forms the set (stage 602).

Then, data request transfer unit 502 judges the data request frompredetermined client 101 as accepted by the data request acceptance unit201 to determine whether or not the data request may be transferred toserver 104 by the data request transfer unit 202 (stage 604). In thejudgment at the stage 604, the number of accepted requests which are notcompleted yet is used.

As the number of data responses within a predetermined time period iscloser to the number of data requests accepted within the predeterminedtime period, that is, as the number of uncompleted accepted requests issmaller, server computer protection apparatus 503 judges that the loadof server 104 attributed to the predetermined client 101 is lighter.Conversely, as the number of data responses within the predeterminedtime period is smaller than the number of data requests accepted withinthe predetermined time period, that is, as the number of uncompletedaccepted requests is larger, server computer protection apparatus 503judges that server 104 completes a smaller number of processesresponsive to the data requests from predetermined client 101 within thepredetermined time period. That is, the server's load is heavier. In acase where the load on this occasion is extraordinarily heavy, servercomputer protection apparatus 503 can judge that server 104 may possiblybe under a DoS attack.

For the reasons as stated above, the number of uncompleted acceptedrequests can be adopted as the load state of server 104 for the decisionof the stage 604. This signifies that the number of uncompleted acceptedrequests is also usable for discriminating if server 104 is under a DoSattack. At stage 604, server computer protection apparatus 503determines whether or not the new data request from predetermined client101 may be transferred in accordance with the number of uncompletedaccepted requests. When the number of uncompleted accepted requests issmall, server 104 can afford to respond and, therefore, server computerprotection apparatus 503 judges that the new data request can betransferred. Conversely, when the number of uncompleted acceptedrequests is large, server 104 might be under a DoS attack and,therefore, server computer protection apparatus 503 judges that the newdata request may need to be annulled.

Further, in addition to accepted and completed responses, criteriaexplained below can be included in the probability calculation unit 510calculation of the response probability for data requests that are to betransferred the data request transfer unit 504.

The processing load of server 104 and the occupation of thecommunication line can also be used for judging that server 104 maypossibly be under a DoS attack. Since information indicating a dataamount is affixed to communication data from client 101, the data amountof the data response of server 104 to a data request from client 101 canbe measured by “number of data supplies” measurement unit 508. If theresponsive data amount is large, server 104 expends a high cost ingenerating response data, i.e. more processing and resource allocation.Moreover, a time period to communicate the response data lengthens, andthe occupation time of a communication line in the network increases.

If this criterion is utilized, the data amount of the data response isconsidered in the judgment at stage 604 as shown in FIG. 6 in whichserver computer protection apparatus 503 judges whether or not the datarequest from client 101 as accepted by data request acceptance unit 502may be transferred to server 104 by data request transfer unit 504.

That is, at stage 604, server computer protection apparatus 503 judgeswhether or not the new data request from the client 101 may betransferred in accordance with the data amount of the data response.When the data amount is smaller, server 104 can afford to respond and,therefore, server computer protection apparatus 503 judges that the newdata request can to be transferred. Conversely, when the data amount islarger, server 104 might be under a DoS attack and, therefore, servercomputer protection apparatus 503 judges that the new data request mayneed to be annulled.

Data requests, and data responses to them by server 104 are respectivelyendowed with corresponding sequence numbers. It is therefore possible tospecify which of the data requests a certain data response correspondsto. As another criterion, this information can be included inprobability calculation unit 205 calculation of the response probabilityfor data requests that are to be transferred by data request transferunit 504.

In this case, it is assumed that server 104 has responded to a certaindata request from client 101. Assuming that an acknowledgment for thedata response has not thereafter been obtained from client 101 for apredetermined time period, server 104 judges that the pertinent dataresponse has not arrived at the client 101, and server 104 attempts toresend the data response. As stated above, “number of data supplies”measurement unit 508 can specify which of the data requests the resentdata response corresponds.

By considering this criterion, server computer protection apparatus 503enables server 104 to reliably communicate with client 101, anddetermine when client 101 intentionally sends back no acknowledgment. Insuch a case, server 104 repeats resending limitlessly, and in turn,server 104 is burdened with a useless processing load. Simultaneously,server 104 ties up the communication line on account of the uselessresending. Thus, server computer protection apparatus 503 can judge thatserver 104 may possibly be under a DoS attack.

If this criterion is utilized, the number of times of resending of thedata response is considered in the judgment at stage 604 as shown inFIG. 6 in which server computer protection apparatus 503 judges whetheror not the data request from client 101 as accepted by data requestacceptance unit 502 may be transferred to server 104 by data requesttransfer unit 504.

That is, at stage 604, whether or not the new data request from client101 may be transferred is judged in accordance with the number of timesof resending of the data response. When the number of times of resendingis larger, the possibility of a DoS attack against server 104 is higher,and server computer protection apparatus 503 can judge that the new datarequest may need to be annulled.

As mentioned above, data request acceptance unit 502 accepts the datarequest from client 101 as proxy for server 104. When the connectionwith server 104 as requested by client 101 has been wrongfully cut off,data request acceptance unit 502 can detect the wrongful cutoff. The“wrongful cutoff” signifies cutoff based on the detection of the factthat a normal communication can no longer be kept due to thetransmission, flow or the like of, for example, an abnormal commandwhich does not conform to a protocol for use communication. Also,“wrongful cutoff” includes the reception of a one-sided forced cutoffrequest or the like from client 101.

When server 104 receives an abnormal command, flow, or the forced cutoffrequest, the server client network must execute a recovery process ofcommunication resources because the received item is unexpected data. Inthe presence of any renewed application which is activated in server104, the server/client network also must perform a renewal cancellationprocess such as roll-back because of the recovery process. Theseprocesses often require server 104 to endure heavy loads. When suchabnormal communications are repeated, the load of server 104 increases,and the processing efficiency of the server 104 decreases drastically.Also in this case, server computer protection apparatus 503 can judgethat server 104 may possibly be under a DoS attack.

The number of times of the abnormal communications is considered in thejudgment at stage 604 as shown in FIG. 6 in which server computerprotection apparatus 503 judges whether or not the data request fromclient 101 as accepted by data request acceptance unit 502 may betransferred to server 104 by data request transfer unit 504.

That is, at stage 604, whether or not the new data request from client101 may be transferred is judged in accordance with the number of timesof the abnormal communications. As the number of times is larger, thepossibility of the DoS attack against the server 104 is higher, and,therefore, server computer protection apparatus 503 judges that the newdata request is to be annulled.

Accordingly, by setting several criteria as described above, servercomputer protection apparatus 503 can effectively prevent DoS attack.

In another example, in the calculation of the response probability bythe response probability calculation unit 510, response probabilitycalculation unit 510 can include a response probability memory and toconsider a value stored in this memory, as described below.

Response probability calculation unit 510 judges the load of server 104as applied by the corresponding client, on the basis of informationitems which are acquired from “number of data requests” measurement unit506, “number of data supplies” measurement unit 508 and data requestacceptance unit 502. In this example, a calculated value is not directlyconverted into the load situation of server 104 for judgment, but thevalue is referenced to the value stored in the response probabilitymemory of response probability calculation unit 510.

In the calculations of server computer protection apparatus 503, thevalues obtained from the respective measurement units have beencollectively converted into values which indicate load levels of “0” to“10”. Depending upon the values obtained from the respective measurementunits, the load level of server 104 might violently change from “0” to“10”, and the response probability to be calculated can greatlyfluctuate.

Therefore, the values obtained from the respective measurement units arecollectively converted into a value which falls within a range of ±2.Subsequently, response probability calculation unit 510 adds the valuecollectively obtained to the value which is stored in the responseprobability memory. Then, the value fluctuates only within the range of±2 by one time of measurement, and server computer protection apparatus503 can suppress the great fluctuation of the response probability as inthe above example based on the assumption that the response probabilitymemory holds the values of “0” to “10”.

Assuming that the fluctuation of the response probability proceeds toorapidly, the load on server 104 is not constant, and server 104sometimes becomes unstable.

Accordingly, the aforementioned range of the values which are held inthe response probability memory, and the range of the collective valuesof the values obtained from the respective measurement units areappropriately determined, whereby the fluctuation of the number of datarequests arriving at server 104 from client 101 can be relaxed toprotect server 104.

Referring again to FIG. 6, when server computer protection apparatus 503has judged that the new data request from predetermined client 101 is tobe transferred to the server 104, data request transfers unit 504transfers this data request is transferred to server 104 (stage 606). Incontrast, if server computer protection apparatus 503 has judged thatthe new data request is not to be transferred, this data request isannulled from within data request acceptance unit 502, and a new datarequest from predetermined client 101 is awaited again (stage 600).

When the data request from predetermined client 101 has been transferredto server 104, server 104 issues a response to this data request, andhence, server computer protection apparatus 503 transfers the responseto predetermined client 101 (stage 608).

Finally, the number of completed requests is measured in accordance withthe response by “number of data supplies” measurement unit 508, and thenumber of accepted requests as held in response probability calculationunit 510 allotted to the predetermined client 101 is decreased by one(stage 610). If the connection from predetermined client 101 to server104 is maintained, a similar operating flow is repeated again so as toawait a new data request from predetermined client 101 toward server 104(stage 600).

According to the server computer protection method based on such a flow,the server computer protection apparatus relaxes the influence of theDoS attack as burdens the server and shuts it down, which does not stopthe process of the client, and which provides a control for servercomputer protection as is subtle for each client.

In another aspect related to the present invention, a server computerprotection apparatus can receive processing situation information from aserver. FIG. 7 shows an example of the construction of server computerprotection apparatus 703 consistent with this aspect which is utilizedin the network architecture show in FIG. 1. Server computer protectionapparatus 703 includes a data request acceptance unit 702, a datarequest transfer unit 704, a response probability calculation unit 706and a processing situation reception unit 708.

After client 101 has established its connection with server 104 throughserver computer protection apparatus 703, client 101 transmits a requestfor data necessary for a process, to server 104 through server computerprotection apparatus 703. On this occasion, the request upon server 104is accepted by data request acceptance unit 702.

Then, the request accepted by data request acceptance unit 702 istransferred toward server 104 by data request transfer unit 704. Inresponse, server 104 transmits the data corresponding to the transferredrequest, toward client 101 which made the request, through servercomputer protection apparatus 703.

Processing situation reception unit 708 receives from server 104,information on the processing situation of server 104 itself.Concretely, the information is, for example, the load situation ofserver 104 at the transmission. The information which is supplied byserver 104 may well contain a proceeding situation of the process ofserver 104 or the processed result of server 104 which is linked withthe data request accepted by data request acceptance unit 702. In thiscase, the information makes known, for example, that a certain datarequest and a load applied to server 104 by an application activated forprocessing the data request are associated with each other.

When the processing situation information acquired from server 104 at apredetermined time interval or at any desired timing is analyzed, servercomputer protection apparatus 703 can determine the relation between thedata request made by client 101 and the load situation of server 104.For example, after a certain data request has been made by client 101,the load of server 104 fluctuates suddenly. If client 101 successivelymakes data requests and the load of server 104 is suddenly heightened,the processing ability of server 104 will be drastically decreased. Inturn, all services offered by server 104 might be stopped. This can meanthat server 104 is under a DoS attack from client 101. In order to avoidthe shutdown of server 104, the administrator of server 104 mustpromptly stop requests which are transmitted from clients 101 to server104.

However, assuming that clients 101 are merely making legal data requestsuntil requests are stopped, the processes of the applications activatedin clients 101 are interrupted or disabled by the determination of arequired shutdown.

In order to reduce interruption as stated above, response probabilitycalculation unit 706 calculates a response probability on the basis ofthe processing situation information, at least, each time theinformation is acquired from server 104. Subsequently, responseprobability calculation unit 706 supplies the response probability todata request transfer unit 704. The “response probability” termed heresignifies the ratio of the number of data responses made within apredetermined time period by server 104, to the number of data requestsaccepted from clients 101 within the predetermined time period. When theratio is large, data request transfer unit 704 increases the number ofdata requests which are to be transferred to server 104 within thepredetermined time period, among the data requests accepted within thepredetermined time period. Conversely, when the ratio is small, datarequest transfer unit 202 decreases the number of data requests whichare to be transferred to server 104 within the predetermined timeperiod.

Data request acceptance unit 702 annuls data requests which are nottransferred by data request transfer unit 704 because the number ofrequests to be transferred within the predetermined time period has beendecreased. Alternatively, data request acceptance unit 702 can retainthe data requests. In the case where the data requests are retainedwithout being annulled, a constituent for transferring the retained datarequests asynchronously to new data requests is required.

As described above, when the response probability calculation unit 706judges the load of server 104 is light, from the processing situationinformation acquired from the server 104, response probabilitycalculation 706 calculates the response probability to be high. Whenresponse probability calculation 706 judges the load of the server 104is heavy, response probability calculation 706 calculates the responseprobability to be low.

The process provides a server computer protection apparatus whichrelaxes the influence of the DoS attack as burdens on the server andshuts it down, and which does not stop the process of the client.

FIGS. 8A and 8B show examples of the operating flows of server computerprotection apparatus 703 consistent with an aspect related to thepresent invention.

The flow shown in FIG. 8A is for acquiring processing situationinformation from server 104. On the other hand, FIG. 8B shows the flowin which a data request is accepted from client 101 and is delivered toserver 104. The two flows are processed asynchronously.

First, as illustrate in FIG. 8A, in order to acquire from server 104 theinformation on the server process, processing situation reception unit708 awaits the transmission of the information (stage 800).Subsequently, server computer protection apparatus 703 determineswhether or not the information has been normally acquired (stage 802).In a case where the information has been normally acquired, processingsituation reception unit 708 decides the processing load of server 104(stage 804). The process shown in FIG. 8A is executed each time theprocessing situation information is acquired from server 104, and thesituation of the processing load of server 104 is determined in realtime.

In a case where the processing situation information has not beenacquired at stage 802, server computer protection apparatus 703 awaitsthe transmission of the information (stage 800).

Next, FIG. 8B will be described.

After the connection has been established from client 101 to server 104through server computer protection apparatus 703, a data request fromclient 101 toward server 104 is awaited (stage 806).

The data request from client 101 as accepted by data request acceptanceunit 702 is judged as to whether or not it may be transferred to server104 by data request transfer unit 704 (stage 808). In the judgment atstage 808, the processing load of server 104 as decided by processingsituation reception unit 708 is used. When the load is low, server 104can afford to respond, and server computer protection apparatus 703judges that the new data request can be transferred. Conversely, whenthe load is higher, server 104 might be under a DoS attack, and servercomputer protection apparatus 703 judges that the new data request mayneed to be annulled.

Further, in addition to load data, criteria explained below can beincluded in response probability calculation unit 706 calculation of theresponse probability for data requests that are to be transferred bydata request transfer unit 704.

When the processing situation information items of server 104 arederived in succession, a feature can be found in a data request and theload of server 104 in some cases. For example, after a certain datarequest has been accepted by data request acceptance unit 702 andtransferred by data request transfer unit 704, the load of the processof server 104 rises suddenly.

When such a sudden rise has been found, server computer protectionapparatus 703 can judge that the server 104 may possibly be under a DoSattack.

Whether or not the tendency for a sudden rise of the processing load isconsidered in the judgment at stage 808. As shown in FIG. 8B, servercomputer protection apparatus 703 judges whether or not the data requestfrom client 101 as accepted by data request acceptance unit 702 may betransferred to server 104 by data request transfer unit 704.

That is, at stage 808, server computer protection apparatus 703 judgeswhether or not the new data request from client 101 may be transferredin consideration of the tendency of the load. If a sudden rise of theload is found, there is the possibility that server 104 will be under aDoS attack, and server computer protection apparatus 703 judges that thenew data request may need to be annulled.

Conversely, the load of server 104 sometimes lowers suddenly as soon asa certain data request from client 101 is canceled. When the processingload lowers suddenly, server computer protection apparatus 703 can judgethat server 104 may possibly have been under the DoS attack.

Whether or not the tendency to the sudden lowering of the processingload is also considered in the judgment at stage 808. As shown in FIG.8B, server computer protection apparatus 703 judges whether or not thedata request from client 101 as accepted by data request acceptance unit702 may be transferred to server 104 by data request transfer unit 704.

That is, at stage 808, server computer protection apparatus 703 judgeswhether or not the new data request from client 101 may be transferredin consideration of the tendency of the load. If a sudden lowering ofthe load is found, there is the possibility that server 104 will havebeen under a DoS attack, and server computer protection apparatus 703judges that a new data request is to be annulled without being easilyaccepted.

In another example, in the calculation of the response probability byresponse probability calculation unit 706, response probabilitycalculation unit 706 can include a response probability memory andconsider a value stored in this memory, as described below.

Response probability calculation unit 706 judges the load of server 104on the basis of the processing situation information of server 104 asreceived by processing situation reception unit 708. In this example, acalculated value is not directly converted into load situation of server104 for judgment, but the value is referenced to the value stored in theresponse probability memory of response probability calculation unit706.

In the calculation of server computer protection apparatus 703, thevalues obtained from the units 702 and 708 have been collectivelyconverted into values which indicate load levels of “0” to “10”.Depending upon the values obtained from the respective units, the loadlevel of server 104 might violently change from “0” to “10”, and theresponse probability to be calculated can greatly fluctuate.

Therefore, the values obtained from the respective units 702 and 708 arecollectively converted into a value which falls within a range of ±2.Subsequently, response probability calculation unit 706 adds the valuecollectively obtained to the value which is stored in the responseprobability memory. Then, the value fluctuates only within the range of±2 by one time of measurement, and server computer protection apparatus703 suppresses the great fluctuation of the response probability as inthe above example based on the assumption that the response probabilitymemory holds the values

Assuming that the fluctuation of the response probability proceeds toorapidly, the load on server 104 is not constant, and server 104sometimes becomes unstable.

Accordingly, the aforementioned range of the values which are held inthe response probability memory, and the range of the collective valuesof the values obtained from respective units 702 and 708 areappropriately determined, whereby the fluctuation of the number of datarequests arriving at server 104 from client 101 can be relaxed toprotect server 104.

Referring again to FIG. 8, when server computer protection apparatus 703has judged that the new data request from client 101 is to betransferred to server 104, data request transfer unit 704 transfers thisdata request to server 104 (stage 810). In contrast, when servercomputer protection apparatus 703 has judged that the new data requestis not to be transferred, this data request is annulled from within datarequest acceptance unit 702, and a new data request from client 101 isawaited again (stage 806).

When the data request from client 101 has been transferred to server104, server 104 subsequently issues a response to this data request, andhence, server computer protection apparatus 703 transfers the responseto client 101 (stage 812).

If the connection from client 101 to server 104 is maintained, a similaroperating flow is repeated again so as to await a new data request fromclient 101 toward server 104 (stage 806).

According to the server computer protection method based on such a flow,the server computer protection apparatus relaxes the influence of theDoS attack as burdens the server and shuts it down, and does not stopthe process of the client.

In another aspect related to the present invention a server computerprotection apparatus can receive processing situation information for aserver in relation to each client. FIG. 9 shows an example of theconstruction of server computer protection apparatus 903 consistent withthis aspect which is utilized in the network architecture shown inFIG. 1. Server computer protection apparatus 903 includes a data requestacceptance unit 902, a data request transfer unit 904, responseprobability calculation units 906 and a processing situation receptionunit 908.

Server computer protection apparatus 903 differs form server computerprotection apparatus 703 in a plurality of response probabilitycalculation units 906 are included. The plurality of measurement unitsprocess the transfers of data requests transmitted from the plurality ofclients 101 (for example, clients 101-1, 101-2, 101-3), incorrespondence with the respective clients.

In order to separately execute the processes of the each client, servercomputer protection apparatus 903 can discriminate which clients havetransmitted the requests to be processed. Server computer protectionapparatus 903 discriminates the clients by referring to IP addresses inthe header information of packets that are contained in the datarequests transmitted from the respective clients which indicatetransmission sources. Server computer protection apparatus 903discriminates a server response by referring to an IP address in theheader information of packets that are contained in the server responsewhich indicates a destination.

The components of server computer protection apparatus 903 functionsimilarly to the component of server computer protection apparatus 703.

FIGS. 10A and 10B show examples of the operating flows of servercomputer protection apparatus 903 consistent with an aspect related tothe present invention.

The flow shown in FIG. 10A is for acquiring processing situationinformation from server 104. On the other hand, FIG. 10B shows the flowin which a data request is accepted from client 101 and is delivered toserver 104. The two flows are processed asynchronously.

First, as shown in FIG. 10A, in order to acquire from server 104 theinformation on the server process, the processing situation receptionunit 908 awaits the transmission of the information (stage 1000).Subsequently, server computer protection apparatus 903 determineswhether or not the information has been normally acquired (stage 1002).In a case where the information has been normally acquired, processingsituation reception unit 908 decides the processing load of server 104for each client and every client (stage 1004). The process shown in FIG.10A is executed each time the processing situation information isacquired from server 104, and the situation of the processing load ofserver 104 as applied by each client is determined in real time.

In a case where the processing situation information has not beenacquired at stage 1002, server computer protection apparatus 903 awaitsthe transmission of the information (1000).

Next, FIG. 10B will be described.

After the connection has been established from client 101 to server 104through server computer protection apparatus 903, and responseprobability calculation unit 906 has been allotted to a particularclient 101, server computer protection apparatus 903 awaits a datarequest from the client 101 toward the server 104 (stage 1006).

The data request from predetermined client 101 as accepted by the datarequest acceptance unit 902 is judged as to whether or not it may betransferred to server 104 by the data request transfer unit 904 (stage1008). In the judgment at stage 1008, the processing load of server 104as decided by processing situation reception unit 908 is used. When theload is low, server 104 can afford to respond to a particular client101, and server computer protection apparatus 903 judges that the newdata request can be transferred. Conversely, when the load is high,there is the possibility that server 104 will be under a DoS attack fromthe particular client, and server computer protection apparatus 903judges that the new data request may need to be annulled.

Further, in addition to load data, criteria explained below can beincluded in response probability calculation unit 906 calculation of theresponse probability for data requests that are to be transferred bydata request transfer unit 904.

When the processing situation information items of server 104 arederived in succession, a feature can be found in data requests frompredetermined clients and the load of server 104 in some cases. Forexample, where, after a certain data request has been accepted by datarequest acceptance unit 902 and transferred by data request transferunit 904, the load of the process of server 104 rises suddenly.

When such a sudden rise has been found, server computer protectionapparatus 903 can judge that server 104 may possibly be under a DoSattack.

Whether or not the tendency for a sudden rise of the processing load isconsidered in the judgment at stage 1008. As shown in FIG. 9B, servercomputer protection apparatus 903 judges whether or not the data requestfrom client 101 as accepted by data request acceptance unit 902 may betransferred to server 104 by data request transfer unit 904.

That is, at stage 1008, server computer protection apparatus 903 judgeswhether or not the new data request from client 101 may be transferredin consideration of the tendency of the load. If a sudden rise of theload is found for a predetermined client, FINNEGAN there is thepossibility that server 104 will be under a DoS attack from that client,and server computer protection apparatus 903 judges that the new datarequest from that client may need to be annulled.

Conversely, the load of server 104 sometimes lowers suddenly as soon asa certain data request from client 101 is canceled. When the processingload lowers suddenly for a predetermined client, server computerprotection apparatus 903 can judge that server 104 may possibly havebeen under a DoS attack from that client.

Whether or not the tendency to the sudden lowering of the processingload is also considered in the judgment at stage 1008. As shown in FIG.10B, server computer protection apparatus 903 judges whether or not thedata request from client 101 as accepted by data request acceptance unit902 may be transferred to server 104 by data request transfer unit 904.

That is, at stage 1008, server computer protection apparatus 903 judgeswhether or not the new data request from client 101 may be transferredin consideration of the tendency of the load. If a sudden lowering ofthe load is found, there is the possibility that server 104 will havebeen under a DoS attack from that client, and server computer protectionapparatus 903 judges that a new data request from that client is to beannulled without being easily accepted.

In another example, in the calculation of the response probability byresponse probability calculation unit 906, response probabilitycalculation unit 906 can include a probability memory and consider avalue stored in this memory, as described below.

Response probability calculation unit 906 judges the load of server 104as applied by the corresponding client, on the basis of the processingsituation information of server 104 as received by processing situationreception unit 908. In this example, a calculated value is not directlyconverted into the load situation of server 104 for judgment, but thevalue is referenced to the value stored in the response probabilitymemory of response probability calculation unit 906.

In the calculation of server computer protection apparatus 903, valuesobtained from units 902 and 908 have been collectively converted intovalues which indicate load levels of “0” to “10”. Depending upon thevalues obtained from the respective units, the load level of the server104 might violently change from “0” to “10”, and the responseprobability to be calculated can greatly fluctuate.

Therefore, the values obtained from the respective units 902 and 908 arecollectively converted into a value which falls within a range of ±2.Subsequently, response probability calculation unit 906 adds the valuecollectively obtained to the value which is stored in the responseprobability memory. Then, the value fluctuates only within the range of±2 by one time of measurement, and server computer protection apparatus903 can suppress the great fluctuation of the response probability as inthe above example based on the assumption that the response probabilitymemory holds the values of “0” to “10”.

Assuming that the fluctuation of the response probability proceeds toorapidly, the load on server 104 is not constant, and server 104sometimes becomes unstable.

Accordingly, the aforementioned range of the values which are held inthe response probability memory, and the range of the collective valuesof the values obtained from the respective units 902 and 908 areappropriately determined, whereby the fluctuation of the number of datarequests arriving at server 104 from client 101 can be relaxed toprotect server 104.

Referring again to FIG. 9, when server computer protection apparatus 903has judged that the new data request from predetermined client 101 is tobe transferred to server 104, data request transfer unit 904 transfersthis data request to server 104 (stage 1010). In contrast, when servercomputer protection apparatus 903 has judged that the new data requestis not to be transferred, this data request is annulled from within thedata request acceptance unit 902, and a new data request frompredetermined client 101 is awaited again (stage 1006).

When the data request from predetermined client 101 has been transferredto server 104 server 104, subsequently issues a response to this datarequest, and hence, server computer protection apparatus 903 transfersthe response to predetermined client 101 (stage 1012).

If the connection from predetermined client 101 to server 104 ismaintained, a similar operating flow is repeated again so as to await anew data request from predetermined client 101 toward server 104 (stage1006).

According to the server computer protection method based on such a flow,the server computer protection apparatus relaxes the influence of theDoS attack as burdens the server and shuts it down, which does not stopthe process of the client, and which provides a control for servercomputer protection as is subtle for each client.

As a modification to each aspect, a server 104 can incorporate theserver computer protection apparatus 103, 503, 703, or 903 according toeach aspect. Owing to such incorporation, it is unnecessary toseparately and individually build server 104 which processes datarequests from clients 101, and the server computer protection apparatuswhich is disposed for the purpose of protecting server 104 against DoSattacks from unspecified clients 101. Therefore, the communicationbetween server computer protection apparatus and server 104 need not beperformed through a network or the like.

With the server computer protection apparatus so incorporated, a timeperiod having been required for the communication of each proxy responsecan be excluded. Further, when compared with server 104 protected by aserver computer protection apparatus as requiring a plurality ofenclosures, server 104 with the server computer protection apparatusincorporated therein can reduce a space necessary for installationbecause the same function will be attainable with a single enclosure.

Other aspect related to the invention will be apparent to those skilledin the art from consideration of the specification and practice of theinvention disclosed herein. It is intended that the specification andexamples be considered as exemplary only, with a true scope and spiritof the invention being indicated by the following claims.

1. A server computer protection apparatus for protecting a servercomputer against attacks, wherein the protection apparatus is coupled toclient computers and the server computer is different and separate fromthe protection apparatus, the protection apparatus comprising: a datarequest acceptance unit configured to accept data requests sent fromclient computer; at least one request measurement unit configured tomeasure a number of data requests which have arrived from said clientcomputers within a predetermined time period; a response measurementunit configured to measure a number of responses which have been madefrom said server computer to said client computers within thepredetermined time period; at least one server load calculation unitconfigured to obtain a load state of said server computer by usingmeasurements of said request measurement unit and said responsemeasurement unit; and a data request transfer unit configured to changea rate of the number of data requests based on the load state determinedby said server load calculation unit, wherein said server loadcalculation unit is configured to store said load state of said servercomputer; wherein said server load calculation unit changes the valuestored in accordance with a new load state of said server computer;wherein, as said changed value exhibits a higher load, the rate of saidnumber of the data requests which are to be transferred to said servercomputer is decreased by said data request transfer unit; and wherein,as said changed value exhibits a lower load, the rate of said number ofthe data requests which are to be transferred to said server computer isincreased by said data request transfer unit.
 2. The server computerprotection apparatus as set forth in claim 1, wherein said server loadcalculation unit determines the load state from at least the number ofdata requests which are to be transferred to said server computer withinsaid predetermined time period, relative to the number of data requestswhich have been accepted by said data request acceptance unit withinsaid predetermined time period.
 3. The server computer protectionapparatus as set forth in claim 2, wherein in a case where said datarequest transfer unit has judged that a load of said server computerincreases from said load state of said server computer as obtained bysaid server load calculation unit, the rate of said number of the datarequests which are to be transferred to said server computer isdecreased; and in a case where said data request transfer unit hasjudged that the load of said server computer decreases, the rate of saidnumber of the data requests which are to be transferred to said servercomputer is increased.
 4. (canceled)
 5. The server computer protectionapparatus as set forth in claim 2, wherein the response measurement unitis configured to measure size of the responses made from said servercomputer to said client computer within said predetermined time period;wherein said server load calculation unit determines the load state fromthe size of the responses made from said server computer and as themeasured size of the responses increases, the load is calculated to behigher by said server load calculation unit.
 6. The server computerprotection apparatus as set forth in claim 2, wherein said responsemeasurement unit is configured to detect that the response from saidserver computer to said client computer has been resent; wherein saidserver load calculation unit determines the load state from thedetection, and, when said response measurement unit has detected aresending, the load of said server computer which has resent saidresponse to the data request of said client computer is calculated tohave become higher by said server load calculation unit.
 7. A servercomputer protection apparatus as set forth in claim 2, wherein said datarequest acceptance unit is configured to detect if said client computerhas been forcibly cut off and to detect if any abnormality in acommunication state exists; wherein the said server load calculationunit determines the load state from detected state and, when said datarequest acceptance unit has detected a forced cut off or an abnormalcommunication, the load of said server computer as corresponds to saidclient computer is calculated to have become higher by said server loadcalculation unit.
 8. The server computer protection apparatus as setforth in claim 2, wherein said response measurement unit is configuredto detect a new connection from said client computer; wherein saidserver load calculation unit determines the load state from the detectednew connection and, when said response measurement unit has not detecteda new connection within said predetermined time period, the load of saidserver computer as corresponds to said client computer is calculated bysaid server load calculation unit to have become lower.
 9. A servercomputer protection method used in a protection apparatus for protectinga server computer against attacks, wherein the protection apparatus iscoupled to client computers and the server computer is different andseparate from the protection apparatus, comprising: accepting datarequests sent from client computer; measuring a number of data requestswhich have arrived from said client computers within a predeterminedtime period; measuring a number of responses which have been made fromsaid server computer to said client computers within the predeterminedtime period; obtaining a load state of said server computer by using thenumber of the data requests and the number of the responses; changing arate of the number of data requests based on the obtained load state;changing a prestored value in accordance with the obtained load state ofsaid server computer as corresponds to said client computer; loweringthe rate of said number of the data requests which are to be transferredto said server computer as the stored value exhibits a higher load; andraising the rate of said number of the data requests as said storedvalue exhibits a lower load.
 10. The server computer protection methodas set forth in claim 9, wherein obtaining the load state from at leastthe number of data requests which are to be transferred to said servercomputer within said predetermined time period, relative to the numberof data requests which have been accepted within said predetermined timeperiod.
 11. The server computer protection method as set forth in claim9, wherein changing the rate comprises: lowering the rate of said numberof the data requests which are to be transferred to said server computerwhen a load of said server computer has become higher than the obtainedload state of said server computer; and increasing the rate of saidnumber of the data requests which are to be transferred to said servercomputer when a load of said server computer has become lower than theobtained load state of said server computer.
 12. (canceled)
 13. Theserver computer protection method as set forth in claim 10, furthercomprising: measuring the size of the responses made from said servercomputer to said client computer within said predetermined time period;obtaining the load state based on the size of the responses made fromsaid server computer; and raising the rate of said number of the datarequests as said stored value exhibits a lower load.
 14. The servercomputer protection method as set forth in claim 10, further comprising:detecting that the response from said server computer to said clientcomputer has been resent; and obtaining the load state based on theresent detection, wherein, when the response is resent, the load of saidserver is increased.
 15. A server computer protection method as setforth in claim 10, further comprising: detecting if said client computerhas been forcibly cut off and detecting if any abnormality in acommunication state exists; and obtaining the load state based on thedetected communication state, wherein, when the communication state is aforced cut off or an abnormal communication, the load of said servercomputer is increased.
 16. The server computer protection method as setforth in claim 10, further comprising: detecting a new connection fromsaid client computer; and obtaining the load state based on the detectednew connection, wherein, the load of said server decreases when a newconnection is detected within said predetermined time period. 17-24.(canceled)